Privacy Policy

bemycoop is operated by M.O.B.A. Network AB, a company registered in Sweden. M.O.B.A. Network AB is the controller of the personal data described in this policy.

For any questions about this policy or your data, contact us at: info@wearemoba.com.

This site is not affiliated with any specific game publisher. Game data is curated by us based on public information.

When you create an account with email + password

We collect your email address, a chosen username (lowercase, public), and your password, which we store only as a bcrypt hash — never in plain text. You may also set a display name and an avatar URL in your profile.

Lawful basis: contract (providing the service you signed up for, GDPR Art. 6(1)(b)).

When you sign in with Discord

If you choose Discord as your sign-in method, Discord shares the following with us via OAuth: Discord ID, username, global display name, avatar URL, and verified email address. We store these so we can keep you signed in and pre-fill your profile. We do not receive your Discord password.

Lawful basis: contract (Art. 6(1)(b)).

When you post LFG listings or reviews

We store the content you create: LFG listings (description, region, timezone, vibe, voice-chat preference, languages, and any game-specific extras you choose to add — for example a League of Legends rank or a LeagueOfGraphs profile URL); reviews of games and other users (rating + optional text); and helpful-votes you cast on reviews. We also store any contact tags you choose to share on a listing (Discord, Steam, Xbox, PSN, Riot ID).

Lawful basis: contract (Art. 6(1)(b)).

When you use the report system

When you flag a listing as inappropriate, we record your user ID alongside the listing being reported, the category you chose, and any free-text description you wrote. Reports are visible to our admin team only.

Lawful basis: legitimate interest (Art. 6(1)(f)) — keeping the community safe.

Server logs

Our hosting provider (Vercel) automatically collects IP addresses, request timing, and response codes in server logs for security, debugging, and abuse prevention. These logs are retained for up to 30 days.

Lawful basis: legitimate interest (Art. 6(1)(f)) — site security and reliability.

Email-verification and password-reset tokens

When you sign up with email + password, or when you request a password reset, we generate a one-time secure token and send it to you via email. Tokens are deleted after they're used or when they expire (24 hours for verification, 1 hour for password reset).

• To operate your account and the features it unlocks (posting LFG listings, leaving reviews, voting on helpfulness, filing reports).
• To display the content you create publicly on the site (LFG listings, reviews, and your public profile at /u/your-username).
• To send transactional email — only when triggered by your own actions: a welcome + email-verification message at signup, and a password-reset link if you request one.
• To maintain site security, prevent abuse, and respond to reports of policy violations.

We do not sell your data. We do not use your data for advertising. We do not currently send marketing email.

We use the following third-party services to operate the site:

• Vercel Inc. (hosting, US-based) — serves the website and processes incoming requests. Covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.
• Supabase Inc. (Postgres database + object storage) — stores account data, LFG listings, reviews, helpful-votes, reports, and uploaded game cover art. Our database instance is hosted in the European Union (eu-west-1).
• Resend (Resend Inc.) (transactional email, US-based) — sends your verification and password-reset emails. Covered by Standard Contractual Clauses.
• Discord Inc. (only when you choose Discord login, US-based) — performs the OAuth handshake and shares your basic profile fields with us. Discord is a separate controller under their own privacy policy.

When you view a game card, your browser also loads images from public CDNs (Steam, Porofessor, MOBAFire, FlagCDN) to display cover art and icons. These CDNs see your IP address and user-agent at the time of the request but receive no other personal data from us.

• Account profile: until you delete your account.
• LFG listings: until you delete the listing or the expiry option you chose at post time elapses.
• Reviews and helpful-votes: until you delete the specific item or your account.
• Reports: until the reported listing is deleted (whichever comes first), at which point pending reports cascade-delete with the listing.
• Verification / reset tokens: consumed on click, otherwise expire automatically (24h or 1h).
• Server logs: up to 30 days (Vercel default).

When you delete your account, the deletion cascades immediately across our database — your profile, listings, reviews authored, reviews left about you, helpful-votes, OAuth links, and pending tokens all go with it. We do not maintain backups of deleted accounts.

If you are in the European Economic Area or the UK, you have the right to:

• Access — request a copy of all data we hold about you.
• Rectification — correct any inaccurate data. Most fields are self-serve via Edit Profile and your listings; for anything you can't change yourself, email us.
• Erasure — request deletion of your data (the “right to be forgotten”). Self-serve via the Delete Account button on Edit Profile.
• Data portability — receive your data in a machine-readable format. Email us and we'll provide a JSON export of your account.
• Objection — object to processing based on legitimate interest (server logs, reports).
• Restriction — ask us to stop processing your data while we resolve a complaint.

To exercise any of these rights, email us at info@wearemoba.com. We will respond within 30 days.

You must be at least 13 years old to create an account, which you confirm at sign-up. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe a child under 13 has created an account, contact us and we will delete it.

For details on which cookies we use and why, see our Cookie Policy. In short: only essential cookies (sign-in session and CSRF protection). No analytics, no advertising, no tracking.

We may update this policy from time to time. If we make significant changes, we will note the updated date at the top of this page and, for material changes affecting your rights, notify registered users by email when reasonably possible. Continued use of the site after the effective date constitutes acceptance.

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority. In Sweden, this is the Swedish Authority for Privacy Protection (IMY).